elastic · dainperkins · Aug 13, 2019 · Aug 13, 2019 · Aug 13, 2019 · Aug 13, 2019
diff --git a/code/go/ecs/risk.go b/code/go/ecs/risk.go
diff --git a/generated/legacy/template.json b/generated/legacy/template.json
@@ -701,6 +701,17 @@
             }
           }
         },
+        "risk": {
+          "properties": {
+            "label": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "score": {
+              "type": "long"
+            }
+          }
+        },
         "server": {
           "properties": {
             "address": {

diff --git a/schemas/risk.yml b/schemas/risk.yml
@@ -0,0 +1,52 @@
+---
+- name: risk
+  title: Group
+  group: 2
+  type: group
+  short: Risk Scores and Labels
+  description: >
+    Risk fields represent the normalized comparative sensitivity of internal resources or the potential risk of threats, vulnerabilities, and IOCs.
+
+    At the event level normalized risk is calculated based on any risk metrics available for lookup for the given event
+    (e.g. a user, source, destination in a firewall log, a client and file in a endpoint file/process log). The final event score
+    is calculated by summing the squares of each avaialble risk score and dividing by the total multiple of available scores.
+    As an example:  ( user.risk + source.risk + destination.risk ) / ( user.risk + source.risk + destination.risk )
+
+    Risk labels are for labeling the type of business risk represented by a given resource, typically in reference to the data
+    housed in an asset or zone, the level of access of a given user or group, or the risk represented by a given threat or IOC.
+
+  reusable:
+    top_level: false
+    expected:
+      - event
+      - user
+      - group
+      - client
+      - source
+      - server
+      - destination
+      - cloud
+      - container
+      - network
+      - file
+      - threat
+      - vulnerbility
+
+
+  fields:
+
+    - name: label
+      level: extended
+      type: keyword
+      description: locally relevant label to describe the risk type of asset or data identified either 
+        specific to a local data classification system or regulatory/compliance applicability
+
+      example: public, private, confidential, PCI, CFR21p11, PII, SOX, GDPR
+
+    - name: score
+      level: extended
+      type: long
+      description: comparative risk score quantitavely scoring the level of risk of the asset or data, 
+        or risk represented by a given threat (typically provided by )
+
+      example: 1-10